Question about key life times Phase 1+2

I was wondering if anyone knows for sure if this can affect VPN reliability?
As I understand it, and maybe I am wrong, phase 2 is reliant on proper phase 1 negotiation. If we are setting our key life times to times that coincide with one another could phase 2 be relying on an old SA that is currently trying to be renegotiated?
Put another way, letâ€™s say our phase 1 and phase 2 are both set to 3600 (1 hour). Both the phase 1 and phase 2 keys are trying to negotiate at the same time which could produce a short period of downtime if the phase 2 beats 1 to the finish line. Wouldn't we see better results by setting the phase 2 key life time to something other than 3600 or any multiple of 3600 (i.e. 7200, 28800, etc.)? Would setting the phase 1 key life time to 3600 and phase 2 to 4000? That way when phase 2 negotiates there is already a phase 1 SA in place.
Or am I totally off base here? If so could you explain why or point me towards some documentation on the subject.
Thanks

I've personally noticed that if I synchronize both phase I and II to the same values, the tunnels consistently re-establish themselves. If there is a latency that occurs during re-negotiation, I've never been on the network at the same time to notice it...

There should be no issue with making them whatever amount you want within the parameters of the routers. Phase 1 has to take place and be agreed upon on both ends before the routers go into Phase 2. Think of Phase 1 and 2 like a TCP negotiation, a message is sent and a reply is waited for, if no reply or incorrect reply the connection goes no further. If the correct parameters are accepted across the board then the routers move to phase 2 and the negotiation takes place all over again, if one piece is incorrect the connection will cease with phase 1 taking place correctly but an error reported during phase 2.

There should be no issue with making them whatever amount you want within the parameters of the routers. Phase 1 has to take place and be agreed upon on both ends before the routers go into Phase 2. Think of Phase 1 and 2 like a TCP negotiation, a message is sent and a reply is waited for, if no reply or incorrect reply the connection goes no further. If the correct parameters are accepted across the board then the routers move to phase 2 and the negotiation takes place all over again, if one piece is incorrect the connection will cease with phase 1 taking place correctly but an error reported during phase 2.

Click to expand...

This is an interesting and timely post. I had exactly this discussion with one of my clients this week. I used FTP as an analogy: It has 2 channels...a control plane where all the authentication and negotiation (PASV vs. ACTV mode, client-side data port #'s, etc.) takes place and a data channel that exists to pass data only. Phase I and Phase II in an IPSec VPN work like this, too. (incidentally, this is true of PPTP too).

I'm sure you know all this (excuse the digression!) but what I have always found interesting is how common practice has nothing to do with either best practices or common sense for that matter. Since, as you say, Phase I exists to, among other things, renegotiate Phase II if this (data) tunnel goes down, why is it that there is a common body of thought that sets the SA lifetime for Phase I as less than that for Phase II? I know the reasoning, "If it's not needed then don't leave it up since it may prove to be a vulnerability." but that kind of thinking is suspect at best, errant at worst. In the "real world" that I work in, I invariably set the SA lifetime greater for Phase I than for Phase II for the simple reason that when you need it, you need it NOW! When you consider that Cisco's default for SA lifetime is 86400 seconds (ie: a day) and that a properly setup tunnel will use 3DES or better as a cipher, a boatload of Cray supercomputers would take several weeks/months to start making preliminary guesses at the data, let alone break the code....and by then you've re-keyed the tunnel several times over, what's the point?

Network Security is always going to be a tug-o-war between "network" and "security", usability vs. inscrutability.

ed001's post, essentially questioning whether PhaseI and PhaseII SA lifetime being set as equal may result in synchronization issues is a a good one, but not an issue in my own experience.

...what a long-winded response...sorry!

Executive summary: Phase I lifetime should be greater than Phase II lifetime. My opinion, but based on a lot of experience with this stuff.